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Abstract 

We consider a version of Shor's quantum factoring algorithm such 
that the quantum Fourier transform is replaced by an extremely 
simple one where decomposition coefficients take only the values of 
In numerous calculations which have been carried out so 
far, our algorithm has been surprisingly stable and never failed. There 
are numerical indications that the probability of period finding given 
by the algorithm is a slowly decreasing function of the number to be 
factorized and is typically less than in Shor's algorithm. On the other 
hand, quantum computer (QC), capable of implementing our algo- 
rithm, will require a much less amount of resources and will be much 
less error-sensitive than standard QC. We also propose a modification 
of Coppersmith' Approximate Fast Fourier Transform. The numerical 
results show that the probability is signifacantly amplified even in the 
first post integral approximation. Our algorithm can be very useful 
at early stages of development of quantum computer. 

1 Motivation 

The discovery of Shor's quantum algorithm for factoring a big 
integer resulted in considerable increase of interest to quantum 
computations and quantum theory in general. The details of 
the algorithm can be found in original Shor's publications [1-3], 
numerous review articles and lecture notes (see e.g. Refs. [4-8]). 
The main result of the algorithm is that for quantum computer, 
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the number of steps required for factoring a big number N into 
primes is of order (/oc/N) 3 . It is known that even the best clas- 
sical algorithm requires at least (constN) 1 / 3 steps for that pur- 
pose. Here and henceforth we assume that all logarithms have 
the base 2. 

The main ingredient of Shor's algorithm is Quantum Fourier 
Transform (QFT - don't confuse this abbreviation with quan- 
tum field theory!). It is used for finding a period of the func- 
tion a x (mod N) where a is a number coprime to N. Shor has 
proved [1-3] that the probability of period finding by using QFT 
is asymptotically constant when the number is big. However 
a straightforward implementation of the QFT requires compu- 
tations with exponential precision. Therefore it is reasonable 
to expect that any realistic implementation of Shor's algorithm 
will require approximations. Coppersmith j9j] has proposed an 
approximate version of the QFT which he called Approximate 
Quantum Fourier Transform (AQFT). In this approach all the 
exponents in question are computed with some accuracy and 
therefore exponential precision can be avoided. The problem 
arises whether such an approximation is stable and whether it 
still guarantees that the probability of period finding is asymp- 
totically constant. There are indications []1TJ that actually the 
probability is a slowly decreasing function of the number to be 
factorized. 

It is expected that quantum computer (QC) outperforming 
classical one (at least for some class of problems |7j) will be 
available in several decades. In all the implementations of QC 
proposed so far, it will require substantial overhead resourses 
in comparison with classical computer, and this is believed to 
be unavoidable in view of the nature of quantum theory. It is 
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also believed that QC will be rather error-sensitive. The prob- 
lem arises whether it is possible, at least at early stages, to 
implement a real quantum computer, which satisfies two re- 
quirements: 

• It will be able to work with numbers, which are rather big 
(say of order 2 100 ) although possibly not so big as desired. 

• As compared to classical computer, it will not require 
big overhead resources and will have the same order of 
(in) sensitivity to errors. 

We believe this problem is solvable and our motivation is 
given below. 

The main difference between classical and quantum computer 
is as follows. While each bit in classical computer can have 
only two possible states, which we can denote as |0) and |1), 
quantum computer operates with qubits which are quantum su- 
perpositions of states |0) and |1). This means that (at least 
in principle) each qubit can be prepared in a state co|0) + Ci|l) 
where Co and C\ are arbitrary complex numbers. This property of 
quantum computer (which is often called quantum parallelism) 
makes quantum algorithms much more efficient than the cor- 
responding classical ones. On the other hand, this is just the 
reason why quantum computer requires big overhead resources 
(in comparison with classical one) and is rather error-sensitive. 
The QFT, which is a quantum version of fast Fourier transform 
(FFT) is much more efficient because it operates with states 
Co |0) + ci 1 1) where Cq = 1 but c\ contains phase factors exp(ia) 
with different values of a belonging to the field of real numbers 
R (see below). 
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The problem of factoring a big integer into primes is formu- 
lated exclusively in terms of natural numbers, and moreover, 
only a finite range of such numbers is involved. One might won- 
der whether for solving this problem it is necessary to involve 
analytical methods which are essentially based on the field of 
real numbers R. In number theory there are many examples 
when propositions related entirely to the natural numbers have 
been proved by using powerful analytical methods. On the other 
hand, many number theorists believe (see e.g. Ref. |TT|| ) that 



such propositions "should be provable without the intervention 
of such foreign ideas" . The history of number theory also con- 
tains many examples when a proposition related to the natural 
numbers was first proved by analytical methods but then a proof 
based exclusively on natural numbers has been found. 

The above remarks make it reasonable to wonder whether it 
is possible to find a quantum factoring algorithm which involves 
only a finite number of integers. Since quantum computer nec- 
essarily operates with superpositions of states |0) and |1), the 
problem arises whether quantum factoring can be efficient if only 
combinations co|0) + ci|l) with a finite number of integers cq and 
ci are involved. Strictly speaking we should make precise the 
following. The power of quantum mechanics is essentially based 
on the fact that the decomposition coefficients can be not only 
real but also complex numbers. Therefore it seems to be unwise 
not to use this power. However we can try to find a solution 
where the coefficients are represented as c = a + ib with only a 
finite number of integers a and b. 

Our belief that such a solution can be found, is based on our 
previous investigations of quantum theories where state vectors 
belong not to conventional Hilbert spaces but to spaces over a 
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Galois field. As shown in our papers [|T2j, it is possible to con- 
struct a fully discrete and finite quantum theory over a Galois 
field, such that if the characteristic of the field is very big then 
the theory is experimentally indistinguishable from the conven- 
tional theory based on the field of complex numbers C. Let us 
note that Galois fields contain only finite numbers of elements 
which can be treated as positive and negative simultaneously. 
For example, the simplest Galois field of characteristic p con- 
tains only p elements 0, 1,2, ...p — 1. Here p — 1 plays the role of 
—l,p — 2 plays the role of —2 etc. 



The present paper is not based on the results JT2| and we 



assume that the behavior of quantum computer is governed by 
conventional quantum mechanics. Nevertheless, for better un- 
derstanding our motivation for quantum factoring algorithm, we 
describe below our motivation for investigations in [O . 



It is quite reasonable to believe that the existing mathemat- 
ics will be insufficient to describe future physics. Suppose, for 
example, that we want to verify experimentally whether addi- 
tion is commutative: a + b = b + a. If our Universe is finite and 
contains not more than N elementary particles then we shall 
not be able to do this if a + b > N. Also it is not clear whether 
conventional division can be always consistent. We know from 
everyday experience that any macroscopic object can be divided 
by two, three and even a million parts. But is it possible to di- 
vide by, say, two or three the electron or neutrino? We can 
divide the gram-molecule of water by ten, million, billion, but 
when we begin to divide by numbers greater than the Avogadro 
number 6 x 10 23 , the division operation loses its sense. 

A possible objection against quantum theory based entirely 
on integers is that such a fundamental notion as probability nec- 
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essarily involves fractions. In our opinion, the notion of probabil- 
ity is a good example for the well-known Kronecker's expression 
that the natural numbers were invented by the God and all oth- 
ers were invented by people. Indeed, the notion of probability 
arises as follows. Suppose that conducting experiment n times 
we have seen the first event n\ times, the second event n<i times 
etc. such that n\ + + ... = n. We introduce the quantities 
Wi(n) = rii/n (these quantities depend on n) and Wi = limwi(n) 
when n — > oo. Then W{ is called the probability of the ith event. 
We see that all information about the experiment under consid- 
eration is given by a set of integers. However, in order to define 
probability, people introduce additionally the notion of rational 
numbers and the notion of limit. Of course, we can use con- 
ventional probability even if quantum theory is based entirely 
on integers, but by doing so we should realize that it is only 
a convenient (or common?) way to describe the measurement 
outcome. 

Another objection closely related to the previous one, is that 
the notion of unitary transformation also necessarily involves 
fractions. However, the requirement that physical transforma- 
tions must be unitary is not necessary. This requirement is based 
in particular on the assumption that the total probability is a 
conserving physical quantity. Meanwhile, the total probability 
does not have any physical meaning, only relative probabilities 
of different outcomes do. Mathematically this is expressed as 
the statement that Hilbert spaces describing quantum systems 
are projective: the elements ip and cip describe the same phys- 
ical state. Therefore it is quite sufficient to require unitarity in 
projective space: the transformation should be unitary up to an 
arbitrary factor. 
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Let us stress again that in the present paper we assume that 
the behavior of quantum computer is governed by conventional 
quantum mechanics. At the same time our algorithm remains 
unchanged for a purely discrete and finite version of quantum 
theory. 

The paper is organized as follows. In Sect. 2 we outline the 
QFT in the way convenient for the subsequent presentation of 
our algorithm in Sect. 3. Numerical results are described in 
Sect. 4 and concluding remarks are given in Sect. 5. 

2 Outline of quantum Fourier transform 

Consider quantum computer operating with n qubits. The 
Hilbert space describing all possible states of this computer is 
the tensor product of n spaces describing the qubits in question. 
The dimension of this space is equal to N = 2 n . The basis of the 
space can be chosen in such a way that the basis element X is 
defined by some natural number x = 0,1, 2, ...N — 1 as follows. 
If 

x = x n ^T- 1 + x n - 2 2 n - 2 + ...x 2° (1) 

is a binary expansion of x, such that each X{ can be either or 
1, then X is represented as a tensor product 

X = \x n -i)\x n - 2 )\x n -3)---\xo) (2) 

If X' is another basis vector defined by x' then, as follows 
from Eqs. ([!]) and (@), X and X' will be orthogonal if x ^ x'. 
Indeed, in that case there exists at least one value of i such that 
Xi 7^ x\ and the orthogonality follows from Eq. (g) . 
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Let Y be another basis element identified by y in a similar 
way. Then the quantum Fourier transform (QFT) is defined as 
an operator F which acts on X as follows 

We can rewrite this definition as 



1 „ . . ,2mxy. . . 

FX = -fff L ll/n-l > |?/n-2 > — 1 2/0 > ex^(— — - ) (4) 

V ly yo,yi,-y n -i ^ 



where the values of yi can be either or 1. In the exponent we 
can use the binary expansions for x and y : and take into account 
the fact that all multiples of 2 n do not contribute to the result. 
Then we arrive at 

i 777- 
FX = -={\0) + exp[-(2x )]\l)} x 



27T 

{|0> + exp[—(2 Xl + x )]\l)} x 

{\0) + exp[^(2x 2 + x 1 + ^)}\l)}....x 

{|0} + ex^[y(2x n _i + x n _ 2 + + ••• 

(5) 

This expression is written in the form which will be convenient 
in Sect. 3. 

In Shor's algorithm, the QFT is applied to special periodic 
states which can be described as follows. Let r « N and 
x(0) < r be some natural numbers. Consider the numbers 
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x (j) = ^(0) + J r 5 where j = 0, 1, ...A — 1 and A is such that 
x(A — 1) < N, x(A) > N . Let X(j) be the basis element de- 
fined by x(j) and 

x = ^= A j:m (6) 

Then, as follows from Eqs. (3) and (6), the probability to find 
a state Y in FX is equal to 

ProKv) = ^\\'^\xp(^pLf (7) 

where Y is defined by y. 

The simplest case is such that r exactly divides N and there- 
fore N = At. Then Prob(y) equals 1/r if y/N = k/r (k = 
0, 1, ...r — 1) and equals for other values of y. Therefore with 
the probability 1 the result of the measurement of the state FX 
is such that y/N equals k/r for some k = 0, 1, ...A — 1, and we 
have good chances to find the period r. As shown by Shor [1-3], 
if we know r then we have good chances to find a prime divisor 
of N where N is the number to be factorized. 

Let us now consider a general case. It is easy to show that 
there exist at least r values of y satisfying 

, V k. 1 

— - - < (8) 

l N r l ~ 2N y J 

For such y we can estimate the sum in Eq. (7) (see e.g. Refs. 
[1-8]) using the property that if a belongs to the interval [0, tt/2] 
then |sma| < a and |sma| > 2a /it. The final result is that at 
least with the probability 4/tt 2 the measured value of y satisfies 
Eq. (|8|) with some k = 0, 1, ...r — 1. (As shown in Ref. [|I3|1 , the 



probability can be amplified but for that purpose the number of 
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bits (and the complexity of computations) should be increased). 
The values of k and r can be efficiently extracted from the values 
of y and N by the continued fraction method, and we can repeat 
the measurements if necessary. Therefore we have good chances 
to find r and then factorize the number in question. 



3 An integral version of quantum Fourier 
transform 

It is clear from Eq. (5), that if Shor's algorithm is used in a 
straightforward way then the following problem arises. For big 
values of N (and only such values are of interest) this expres- 
sion contains very small exponents and therefore the quantum 
measurement preparing the state (5) should be performed with 
exponential accuracy. 

Coppersmith j9j] has proposed an approximate quantum 
Fourier transform (AQFT) such that all the terms containing 
1/2* in the exponents are neglected if / is greater than some 
number m. Then for each e specifying the accuracy of the ex- 
ponents, we can find the required value of m. The complexity 
of the quantum circuit implementing AQFT becomes 0(nlogn) 
instead of 0(n 2 ) for the QFT. Actually the complexity is rather 
sensitive to the required accuracy. If it is small then the com- 
plexity is close to 0(n) and in the opposite case it is close to 
0(n 2 ). The problem arises whether the QFT is stable under 
small perturbations of the exponents and whether the probabil- 
ity of period finding is reasonably high for realistic values of the 
numbers to be factorized. 

This problem has been investigated in Ref. [M and there 
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exists a vast literature devoted to the role of error corrections 
in Shor's algorithm. If m is the maximum number of terms 
retained in each exponent index, then, as shown in Ref. [jKUl , 
Shor's lower bound 4/tt 2 should be replaced by 

MmProb = \sin 2 {\{^- - A max )) (9) 

7T Z 2 2 

In the most favorable case /2\ max = and we again arrive at 
Shor's result. However such a favorable scenario cannot be guar- 
anteed. If m > log n + 2 then it can be guaranteed that 

MmProb = -^sm 2 { ) (10) 

Therefore in the worst scenario the probability will be a function 
decreasing asymptotically as (logn/n) 2 . 

As discussed in Sect. 1, our goal is to find an algorithm which 
can be formulated exclusively in terms of integers. Let us con- 
sider how we can modify Eq. (5) to satisfy this requirement. 
First we note that the presence of the factor 1/y/N is irrelevant. 
This factor is needed only to ensure unitarity but, as noted in 
Sect. 1, it is quite sufficient to require that the transformation 
should be unitary up to a constant factor. Let us now consider 
the exponents in Eq. (5). For the most important qubit our 
requirement is satisfied automatically since exp{mxo) can be ei- 
ther +1 or -1. For the second qubit this requirement is satisfied 
too because exp{mxo/2) can be either or i (as noted in Sect. 
1, we allow the coefficients to be of the form a + bi where a and 
b are integers). For the third qubit the requirement is not al- 
ways satisfied because if x$ equals 1 then the coefficient contains 
exp{iii/4) = (l + i)/v2- For the subsequent qubits the state |1) 
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enters with the coefficient exp(ia) where 

a = n( Xl + X -f + X -f + X -f + ..^) (11) 

We can ensure the integrity of the coefficient by neglecting all 
the terms beginning from x;_2/4. In that case we will have the 
the AQFT when the maximum number of terms retained in each 
exponent index equals m = 2 (the simplest case of the AQFT 
corresponding to m=l is known as the Hadamard transform). 
The value of a in that case will be always underestimated if at 
least one of the numbers £/_2,^z-3, ■ ■■%o is not equal to zero. In 
the worst scenario the difference between the exact and approx- 
imate values of a can be close to tt/2 and can accumulate for 
different qubits. 

Another option is to replace the expression (11) by 

^TTW + y + y) (12) 

In that case the coefficient in question also will be integral as 
required. If x;_2 = then (3 is always less or equal a and their 
difference does not exceed 7r/4 in the worst scenario. On the 
contrary, if x;_2 = 1 then (3 is always greater than a and in the 
worst scenario the difference also cannot exceed 7r/4. One might 
hope that for different qubits the both effects may considerably 
cancel out, and the result will be close to that given by the QFT 
or some higher order AQFT. 

A straightforward generalization of our proposal is that for 
m > 2 the AQFT in the mth approximation can be modified as 
follows. When one considers the contribution of 

ind = 2m{xi + ^y + ..y) (13) 
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to the exponent in the mth approximation, then, instead of re- 
taining rn terms as 

indm = 2m(xi + ^ + ■■■ ^ m m ^ 1 ) (14) 

we propose also to retain the (m + l)th term but with the coef- 
ficient 2: 

ind' m = 2iiv(x l + ^ + -^?r + (15) 

The above arguments make it reasonable to think that in that 
case the convergence to the QFT will be better and our results 
for m = 3 in Sect. 4 confirm this. However it is clear that for 
m > 2 the AQFT is not formulated only in terms of integers. 

To summarize, we are going to investigate the transform 
which, by analogy with Eq. (j5j), reads 



1 77T 

FjX = -={\0) + exp[-j(2x )]\l)} x 



ITT 

{\0) + exp[—(2x 1 + x )]\l)} x 

ITT 

{|0> + exp[— (2x 2 + x x + i )]|l>}.... x 

ITT 

|0) + exp[—(2x n ^i + x n _ 2 + a; n _ 3 )]|l) (16) 

Here the subscript I in F stands for "integral". 

As noted in Sect. 1, the overall normalization factor 1/yN is 
irrelevant. We retain it for convenience of the readers preferring 
strict unitarity. It is easy to show that the operator Fj is indeed 
unitary. Indeed, the norm of FjX is equal to 1, i.e. the norm of 
X. Furthermore, if X and X' are orthogonal, the same is true 
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for FjX and FjX'. Indeed, as follows from Eq. ([TBj), the contri- 
bution of the leftmost bit to the scalar product (FjX, FjX') is 
equal to 1 + (— l) x °~ x o. This quantity is not equal to zero only if 
xq = x'q. If this is the case then the contribution of the second 
bit from the left is obviously equal to l + (—l) Xl ~ x>1 . Analogously, 
the result is not zero only when By repeating this pro- 

cedure we conclude that (FjX, FjX') is not equal to zero only 
if X = X'. 

Apart from the (irrelevant) normalization factor in Eq. ([TB|), 
all the coefficients in front of |1) in this expression obviously have 
only one of four values: — 1,— i. Therefore the algorithm 
based on Fi indeed operates only with integers. 

It is clear from Eq. ([TO]) that the quantum circuit implement- 
ing the transformation Fj has the complexity 0(n) but the main 
problem of course is whether our algorithm allows to peak the 
required values of y with a reasonable probability. 

We denote 

f(x, y, n) = [2(x y n -i + xi?/ 71 _2 + ■■■Xn-Wo) + 

(xoVn-2 + £l2/n-3 + •■■^n-22/o) + 
(xoVn-3 + XlVn-4 + ■••^n-32/o)] (mod 4), 

g(x,y,n) = exp[—f(x,y,n)] (17) 

The function g(x, y, n) can obviously have only one of the values 
Then we can rewrite Eq. (|TB|) as 

1 y=N-l 

FiX = ^= E 9(x,y,n)Y (18) 

VA y= 

and apply this transformation to the state defined by Eq. (0). 
The overall factorization factors 1 / \fN and 1 / \fA are not impor- 
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tant, but if we wish to describe different measurement outcomes 
in terms of conventional probability (see the discussion in Sect. 
1), it is convenient to retain them. As follows from Eq. (|IBf), 
the (conventional) probability of the measurement outcome y is 
given by 

Probjiy) = 4lV £ 1 g(x(0)+jr,y,n)\ 2 (19) 

In the most favorable case, when the quantity g(x(0) + jr, y, n) 
is the same for all the values of j, the quantity Probj(y) is equal 
to A/N . As noted in the preceding section, for the QFT this is 
the case, in particular, when r exactly divides N (i.e. N = Ar) 
and y = kA for some natural k in the range 0, 1, ...r — 1. The 
same is valid in our case. Indeed, at such conditions we have 
r = 2 l where / is an integer which is much less than n (because 
the algorithm applies only if r << N) and A = 2 n ~ l . The 
binary expansion of r obviously contains only the lih nonzero 
bit. Therefore the first / — 1 bits in all the numbers x(0) + jr 
are the same. At the same time, the first n — I — 1 bits of the 
number y = kA are always equal to zero. Therefore, as follows 
from Eq. (|T7f) , the quantity f(x, y, n) depends only on the first 
/ — 1 bits of x and thus f(x(0) + jr,y,ri) is indeed the same 
for all the values of j. Let us note that the same arguments 
apply to the QFT (in which case they can be treated as a proof 
based not on geometric series of phase factors but on positions 
of relevant bits in x and y) and to any version of the AQFT. 
Therefore the requirement Probi(y) = A/N for such conditions 
does not impose practical restrictions on the algorithm. 

In the general case we did not succeed in finding a good es- 
timation for Probj(y) and therefore we should perform direct 
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numerical computations of this quantity. The results are de- 
scribed in the next section. 

4 Numerical results 

It is clear from Eqs. ( p7| ) and (p~5| ) that the success of straight- 
forward numerical computations of the probabilities in question 
depends mainly on how efficiently the function g(x } y, n) can be 
calculated. Of course, for particular values of x and y this is 
a trivial task for modern computers. However in real computa- 
tions this function should be calculated for many different values 
of x and and the time of the computation crucially depends 
on the computational algorithm. As follows from Eq. (|T7| ), the 
computation of g(x, y, n) requires a direct access to each bit 
and therefore it is reasonable to believe that such programming 
languages as C or C++ (to say nothing about assembly lan- 
guage) will be convenient for that purpose. Moreover, all the 
modern implementations of C++ compilers include the stan- 
dard template library (STL) which contains a container called 
bitset. Consider, for example, the expression 

h(n) = x Q y n -i + xiy n - 2 + ••• + Zn-iZ/o (20) 

It is clear that the function g(x, y, I) is defined by h(l) with 
I = n, n — l,n — 2. Let z be an n-bit integer which is a reversal 
ofy: 

z= £ Zl T= E Vn^i2 l (21) 

i=0 i=0 

Then 

h(n) = x z + xizi + ... + (22) 

We can create two bitsets representing the arrays of bits for x 
and z, say B(x) and B(z), respectively. Then it is clear from 
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Eq. (|22|), that h(n) is equal to the number of bits in the array B 
obtained by ANDing the arrays B(x) and B(z). The STL pro- 
vides the overloaded operator for that purpose (which is called 
& =) and the function count () which says how many nonzero 
bits the bitset in question has. However there are practical in- 
conveniences in using this approach. The matter is that in the 
existing version of the STL, the bitset constructor, creating a 
bitset from the number in question, and the inverse function, 
converting the bitset to a number, are implemented only for 
numbers less than 4294967296 which are represented by 32 bits. 
Therefore for bigger numbers one should write his or her own 
versions of those functions. In any case, ANDing bits is much 
faster than a straightforward multiplication for computing prod- 
ucts in Eq. (|22|). 

The second problem is that for rather small values of N = 2 n 
(say n < 27 or A < 134217728) we can compute probabilities for 
all the values of y in a reasonable time. However the complexity 
is growing with A roughly as A and for essentially bigger values 
of A this seems to be unrealistic if standard computers are used 
for that purpose. Let us recall that our main goal is to extract 
the value of r from the measured value of y. As noted above, 
for y satisfying Eq. (§) one can recover the values of k and r by 
the continued fraction method. Are other values of y of any use 
for us? 

To answer this question we recall how the continued fraction 
method is used for extracting the period from the measurement 
outcome. If N is the number to be factorized then the adopted 
strategy is to choose A = cN 2 where typically c is a small 
number (say in the range 2-5) such that A is a power of two. 
The reason is that on the one hand, for a given N we want to 
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work with the least possible number of bits, but on the other 
hand we should unambiguously extract the period r. The value 
of r is always less than N by construction of Shor's algrithm (r 
is defined as a period of a function f(x) = a x (mod~N) where 
a is a number coprime to N [1-3]). We use the property of 
the continued fraction method that if k\/r\ and A/2/V2 are two 
continued fractions for y/N then £2/^2 approximates y/N better 
if and only if T2 > T\ (see e.g. Ref. flnjQ . Therefore our approach 
is as follows. For a given y we develop continued fractions for 
y/N and stop if the next approximation has the denominator 
greater or equal than N. Then for each y we can unambiguously 
find a continuos fraction k\/r\ satisfying the requirement that 
it is the best approximation among the continuos fractions with 
the denominator less than N. However in the general case the 
result may have nothing to do with the period r. 

Suppose however that y satisfies Eq. (g) and k\jr\ is the 
best approximation obtained in such a way. If k\/r\ ^ k/r 
then obviously \k/r — k\/r\\ < 1/N but on the other hand this 
contradicts the obvious fact that they also satisfy \k/r—k\/r\\ > 
\jrr\ > c/N. Therefore for y satisfying Eq. (§) k/r is the best 
approximation obtained as described above. 

Let us now reformulate the problem in this way: if y satisfies 
Eq. (@) and k/r is the continued fraction for y/N then can we 
guarantee that for values of y\ close to y, yi/N is approximated 
by the same continued fraction k/r? Suppose that \yi — y\ = a, 
k\/r\ is the best approximation for y\ and k\/r\ ^ k/r. Then 
on the one hand \k/r — ki/r\\ > l/rr\ > c/N and on the other 
\k/r - ki/ri\ < (2a + 1)/N. This is impossible if a < (c - l)/2. 
We conclude that, depending on the value of c, k/r satisfying 
Eq. (g) represents also the best approximation for the values y\ 
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in some vicinity of y. 

Taking into account the above consideration we adopted the 
following approach. For n < 27, when it is still realistic to test 
each value of y, we did this. For greater values of n we tested 
only the values of y satisfying Eq. (|8j) and the values of y\ in 
some vicinities of those y (see below). 

Let us first describe the results for n < 27. As follows from 
Eq. ( [Hp , the contribution of each y to the total probability is 
characterized by the quantity 

RP{V) = \V E 1 g{x{Q)+jr iy ,n)\ 2 (23) 

A 3=0 

where RP stands for relative probability. For a given n we 
chose at random the values of x(0) and r such that x(0) < r 
and r < 2 n l 2 . Then we computed RP{y) for each y. We set 
some threshold, say 0.05, and looked for the y passing over that 
threshold, i.e. for such values of y that RP(y) was greater than 
the threshold. Then we computed the continued fraction for 
y/N and tested whether it is equal to k/r where r is the pe- 
riod and k is one of the numbers 0, 1, 2, ..r — 1. The result is 
that in about 100 computations only the values of y satisfying 
Eq. (@) and in some cases y\ such that \y\ — y\ = 1 passed over 
the threshold. Moreover, all such values of y passed over the 
threshold 0.05. When there were two values, y and yi, pass- 
ing over the threshold and approximated by k/r then typically 
RP(y) was considerably greater than RP(y{) for the y satisfying 
Eq. Q8j). However we have found several cases when RP(yi) was 
greater. 

For example, for n = 25, x(0) = 85, r = 713 both, y\ = 
23906944 and y = 23906945 pass over the threshold and are 
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approximated by 508/713. The result is RP(yi) = 0.120148 
and RP(y) = 0.118273 but it is the second value which satisfies 
Eq. ®. * 

For n = 26, x(0) = 211, r = 975 both, y 1 = 1996058 and 
y = 1996059 are approximated by 29/975; we have RP(y\) = 
0.106606 and RP{y) = 0.0898572 but again it is the second 
value which satisfies Eq. (§). 

For n = 27, x(0) = 163, r = 674 both, y 1 = 3186177 and 
y = 3186178 are approximated by 8/337 = 16/674; RP(yi) = 

0. 146263, RP(y) = 0.143943; again only the second value satis- 
fies Eq. (§). 

In all the three cases the quantity \yi/N — k/r\ only slightly 
exceeds 1/2N. 

For n > 27 testing each value of y becomes unrealistic and 
therefore we should decide what our main priorities are. What 
is the main characteristic of the algorithm? As we already dis- 
cussed, the probability to successfully extract the value of k/r 
from the measurement outcome depends on r and in favorable 
cases can be 1. However such cases are not typical. We should 
ask ourselves whether there exists a minimum probability of 
success, such that for all values of r and x(0) the probability of 
success is always greater than the minimum probability. 

The results for n < 27 give strong evidence that only val- 
ues of y satisfying Eq. (g) and possibly some close values can 
essentially contribute to the probability of success. For this rea- 
son we adopt the following approach in the general case. For 
given values of n, x(0) and r we test only the values [Nk/r] — 

1, [Nk/r], [Nk/r] + 1, [Nk/r] + 2 for k = 1, ...r - 1 (the case 
k = is obviously trivial) and compute only the contribution of 
these values to the probability of success Pr. These quantities 
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represent four numbers in the vicinity of some y satisfying Eq. 
(|8]). We denote Pr(y) the relative contribution of all these num- 
bers to the probability of success, i.e. the sum of the quantities 
RP(y) for those y. Let MinPr(y) be the minimum value of 
Pr(y) for a given run. We also use Pr min to denote the mini- 
mum value of the total probability of success Pr in all our runs 
for a given n. 

The table of the quantities Pr min for 20 < n < 34 is given 
below. 

Our observation is that for odd values of r the probability 
is usually very close to Pr min , for the values of r divisible by 2 
(i.e. for even numbers) it is greater and increases for the values 
of r divisible by 4, 8 etc. This is natural in view of the above 
discussion. For this reason, for 32 < n < 34 where we carried 
out only a few runs, we tested only odd values of r. For such 
values of r we ran the program on the Windows 2000 machine 
equipped with two processors running at 1 GHZ each. The 
availability of two processors makes it reasonable to implement 
the program as a two-threaded application. Then for n = 32 
it typically takes 4 hours to run each test with a given choice 
of x(0) and r. For n = 33 this time becomes 9 hours and for 
n = 34 - 20 hours. We ran four cases for n = 32, three cases for 
n = 33 and two cases for n = 34. For each n the results for Pr 
are very close to each other and the minimum values of Pr(y) 
also do not differ significantly. 

For n = 32 (N = 4294967296) the results are Pr = 0.195057, 
MinPr{y) = 0.103743 for x(0) = 863, r = 11337; Pr = 
0.195051, MinPr{y) = 0.119318 for x{0) = 9774, r = 22239; 
Pr = 0.195057, MmPr(y) = 0.120364 for x(0) = 17867, r = 
21229 and Pr = 0.195049, MinPr{y) = 0.103555 for x(0) = 
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Tabic 1: The quantities Pr min at different values of n (see text). 



n 
Pr 

1 ' nun 


20 21 22 23 24 25 
0.3630 0.3450 0.3270 0.3108 0.2951 0.2802 


n 
Pr 

± ' mm 


26 27 28 29 30 31 
0.2661 0.2527 0.2399 0.2278 0.2163 0.2054 


n 
Pr 

1 1 nun 


32 33 34 
0.1950 0.1852 0.1759 



13559, r = 33225. 

For n = 33 (N = 8589934592) the results are Pr = 0.185207, 
MmPr{y) = 0.114707 for x(0) = 17226, r = 39041; Pr = 
0.18524, MinPr{y) = 0.0967657 for x{0) = 9244, r = 18267 and 
Pr = 0.185205, MmPr{y) = 0.0969796 for x(0) = 21533, r = 
27663. 

For n = 34 (N = 17179869184) the results are Pr = 
0.175864, MinPr{y) = 0.114707 for x(0) = 9244, r = 54337 and 
Pr = 0.174863, MmPr{y) = 0.103516 for x(0) = 26700, r = 
36989. 

The results confirm our observation for smaller values of n 
that when there are no special favorable circumstances, the value 
of Pr is almost universal, i.e. practically does not depend on 
x(0) and r. This shows that our algorithm is very stable, and 
Pr m i n is probably a universal function of n. The quantities 
P^min at different values of n are shown in Table 1. 

The data for MinPr(y) are more irregular. In general these 
values decrease with the increase of n but are rather sensitive to 
the choice of x(0) and r. The minimum value of MinPr(y) for 
all our runs is equal to 0.0967657. It was observed for n = 33 
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(see above), not n = 34 what might seem to be rather strange 
and may be an indication that there exists a minimum of this 
quantity which is not equal to zero when n — > oo. However 
the existing amount of data is obviously insufficient for drawing 
such a conclusion. 

We did not succeed in finding a simple function describing 
the data in Table 1. If one tries to approximate the data as 
Pr mm (n) = Const/n c then the value of c for n G [20,34] is in 
the range [1.35, 1.7]. 

In the preceding section we have also proposed a modifica- 
tion of the AQFT (see Eqs. (|T^|T5|)). In Table 2 we display 
the results of computations of the quantity Pr m i n in the first 
"post integral" approximation corresponding to m = 3. In this 
case decomposition coefficients can take the values of exp{ml/4) 
(I = 0, 1, ...7) and the problem is no longer formulated only in 
terms of integers. The results show that the probability of pe- 
riod finding is significantly amplified. Moreover, the results for 
MinPr(y) become much more stable and in all our computa- 
tions this quantity was rather close to Pr m i n . The minimum 
value of MinPr(y) in our computations is 0.556 for n = 31. This 
does not improve the estimation 4/7T 2 « 0.405 of the minimum 
relative probability in Shor's algorithm because, as explained 
above, Pr(y) represents the contribution of four values of y\ in 
the vicinity of y satisfying Eq. Q8|). 

It is clear at a glance that the data in Table 2 have a much 
slower fall off with the increase of n than those in Table 1. If the 
data are approximated as Pr min (n) = Const /n c then the value 
of c for n G [20,31] is in the range [0.25,0.38] i.e. much better 
than in the pessimistic estimate (pP| ) for the conventinal AFQT. 
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Table 2: The quantities Pr min for our modification of the AQFT at 
m = 3 (see text). 



n 
Pr 

1 1 mm 


20 21 22 23 24 25 
0.7568 0.7472 0.7375 0.7282 0.7188 0.7096 


n 
Pr 

1 1 mm 


26 27 28 29 30 31 
0.7006 0.6916 0.6827 0.6740 0.6654 0.6569 



5 Discussion 

In this paper we have proposed a quantum algorithm for factor- 
ing which involves only a finite number of integers. There are 
strong numerical indications that the minimum probability to 
extract the correct value of k/r, where r is the period and k is 
one of the numbers 0, 1, ...r — 1, is a universal function of the 
number of qubits n in question. Table 1 in the preceding sec- 
tion displays minimum probabilities in the range 20 < n < 34. 
where n = log N and N is a number used for factorizing a big 
number N. As noted above, the adopted strategy is to choose 
N = cN 2 where c > 1 is a small number (say in the range [2,5]). 
Therefore for big values of N, log N is proportional to log N. 

The numbers in Table 1 are less than the lower bound 4/n 2 « 
0.405 for Shor's algorithm and decrease with the increase of n. 
Therefore a greater number of repetitions will be required to 
ensure the success. On the other hand, for quantum computer 
implementing our algorithm, the corresponding quantum circuit 
has a smaller complexity (0(n) instead of 0(n 2 )), a much less 
amount of resources is required and, since the algorithm involves 
only integers, its (in) sensitivity to errors is expected to have 



24 



the same order of magnitude than that for classical computer. 
Classical computer operating with n bits has N = 2 n states while 
in the version of quantum computer implementing our factoring 
algorithm with n qubits, the number of states does not exceed 
4 AT. This is a consequence of the fact that the dimension of the 
Hilbert space for an n-qubit system is equal to N and we need 
only linear combinations of basis elements with the coefficients 
-1, -%. 

We have also proposed a modification of Coppersmith' Ap- 
proximate Quantum Fourier Transform (AQFT). The results in 
Table 2 show that the probability of period finding is signifa- 
cantly amplified already in the first post integral approximation 
and the fall off with the increase of n is much slower. However 
this approximation no longer can be formulated only in terms 
of integers. Quantum computer operating with n qubits in this 
approximation will require 8N states because now the coeffi- 
cients can take the values of exp(inl/4:) (/ = 0, 1, ...7). In this 
case it will be also necessary to determine a required accuracy 
for \/2. In general it is clear that each next approximation will 
require a greater amount of resources and will have a greater 
er r or- sensit ivity. 

At early stages of development of quantum computer our in- 
tegral version of Shor's algorithm should be quite sufficient but 
for very big numbers one should look for better approximations. 
If one adopts a conventional approach then the above results 
give grounds to believe that by using our modification of the 
AQFT it will be possible to reduce the number of required ap- 
proximations. At the same time, it is of indubitable interest to 
investigate whether there exists a quantum factoring algorithm 
which involves only integers and guarantees that the probability 
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of period finding is asymptotically constant. 
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